===========
Secure HTTP
===========

------------
Module: core
------------

:Author: Jan Kneschke
:Date: $Date$
:Revision: $Revision$

:abstract:
  How to setup SSL in lighttpd
  
.. meta::
  :keywords: lighttpd, ssl
  
.. contents:: Table of Contents

Description
===========

lighttpd support SSLv2 and SSLv3. It is using openssl_
to provide this functionality.

If you are compiling lighttpd yourself you have to add ``--with-openssl`` 
to the options of the ``configure``.

.. _openssl: http://www.openssl.org/

Configuration
-------------

To enable SSL for the whole server you have to provide a valid 
certificate and have to enable the SSL engine.::

  ssl.engine = "enable"
  ssl.pemfile = "/path/to/server.pem"
  
As SSL and named-based virtual hosting can not work together you 
have to use IP-based virtual hosting if you want to run multiple
SSL-servers with one lighttpd: ::

  $SERVER["socket"] == "10.0.0.1:443" {
    ssl.engine                  = "enable"
    ssl.pemfile                 = "www.example.org.pem"
    server.name                 = "www.example.org"

    server.document-root        = "/www/servers/www.example.org/pages/"
  }

If you are using an intermediate certificate please specify it as: ::
  
  ssl.ca-file = "/path/to/intermediate.pem"

If you are migrating from Apache and have seperate files for certificate and key,
cat them together and build you server.pem that way: ::

  $ cat server.crt server.key >> server.pem


Self-Signed Certificates
------------------------

A self-signed SSL cerifitcate can be generated with: :: 
  
  $ openssl req -new -x509 \
    -keyout server.pem -out server.pem \
    -days 365 -nodes